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Abstract. A block cipher is intended to be computationally indistinguishable from a random permu- 
tation of appropriate domain and range. But what are the properties of a random permutation? By 
the aid of exponential and ordinary generating functions, we derive a series of collolaries of interest 
to the cryptographic community. These follow from the Strong Cycle Structure Theorem of permu- 
tations, and are useful in rendering rigorous two attacks on Keeloq, a block cipher in wide-spread 
use. These attacks formerly had heuristic approximations of their probability of success. 

Moreover, we delineate an attack against the (roughly) millionth-fold iteration of a random per- 
mutation. In particular, we create a distinguishing attack, whereby the iteration of a cipher a number 
of times equal to a particularly chosen highly-composite number is breakable, but merely one fewer 
round is considerably more secure. We then extend this to a key-recovery attack in a "Triple-DES" 
style construction, but using AES-256 and iterating the middle cipher (roughly) a million-fold. 

It is hoped that these results will showcase the utility of exponential and ordinary generating 
functions and will encourage their use in cryptanalytic research. 
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1 Introduction 



The technique of using a function of a variable to count objects of various sizes, using 
the properties of multiplication and addition of series as an aid, is accredited to Pierre- 
Simon Laplace [12]. Here, we will use this family of techniques, now called "analytic 
combinatorics" to count permutations of particular types. An ordinary generating series 
associated with a set of objects assigns as the coefficient of the z'th term, the number 
of objects of size i. An exponential generating series is merely this, with each term 
divided by i\. In particular, this can be used to describe permutations drawn at random 
from S n , which is the topic of this paper. 

The cipher Keeloq, can be written as the eighth iterate of a permutation followed 
by one more permutation [3, Ch. 2]. This eighth power naturally affects the cycle 
structure; for example, we will prove that the fixed points of the eighth power are 
those of order {1,2,4,8} under the original. There are many other properties of these 
repeated permutations that follow from the factorization of the number of iterations, 
and we will show cryptanalytic consequences. 

In the remainder of this section we will introduce analytic combinatorics through 
exponential and ordinary generating functions. In Section 2 we prove a theorem on 
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the cycle structures of random permutations, and in Section 3 we present a number of 
corollaries. We imagine that most if not all of these are already known in some form, 
but here we are compiling them all in one place, with a view to determining when a 
random permutation has a given property, rather than merely counting objects which is 
the usual use of the techniques of this subject. The proofs are our own. In Section 4, we 
apply these techniques to Keeloq, and describe two quite feasible attacks, but also their 
exact success probabilities. These attacks have been previously described as requiring 
the entire code-book of the cipher (all plaintext-ciphertext pairs under the current key) 
but here we let r] represent the fraction of the code-book available, and show how rj 
affects the success probability. In Section 5, we present an unusual example, where a 
very highly iterated cipher appears to be secure, but adding one iteration opens up a 
feasible and effective distinguishing attack. We conclude in Section 6. 

1.1 Background 

A combinatorial class C is a set of objects C together with a function £c '■ C — > Z-°, 
which asssigns to each element a non-negative integer "size". For example, if P is 
the set of permutation groups S n for all positive integers n, then we may use the size 
function £p(jr) = n, for any n e S n , to make V into a combinatorial class. 

Let d be the cardinality of the set of elements of C with size i. Thus in our example, 
Pi = i\ for i > 0. It will be useful to represent d by either an exponential or an 
ordinary generating function (OGF or EGF). First, a brief discussion of generating 
functions is in order. 

Given a set of constants indexed by Z-°, say en, ci, C2, ■ ■ ■, the ordinary generating 
function (or OGF) is defined as the formal power series: 

oo 

/ * def \ > j n 1 

C(Z) = 2_, c i z =<X)+C\Z + C2Z + CjZ +•••. 

i=0 

The EGF is defined as the formal power series: 

oo 

/ \ def s—^ Cj i Cl C 2 2 , c 3 3 , 

Ce W = 2^ ~i z = c ° + TT Z + 2i z + v z + ' ' ■ ■ 

i=0 

For our example combinatorial class, V, its OGF is V(z) = z + 2z 2 + 6z 3 + 24z 4 + 

120z 5 H , and its EGF is V e (z) = z + z 2 + z 3 + z 4 + z 5 H . The series 1 + 

z + z 2 + z 3 + z 4 + z 5 + • • • represents the OGF of the non-negative integers, Z-° with 
"size" function being the identity: £{n) = n. 

In combinatorial arguments, OGFs and EGFs abound [12] [15] and are especially 
useful in counting partitions of sets. For example, let A\, A%, . . ., Ak be sets of whole 
numbers. The number of all distinct ways that n identical objects can be placed into k 
containers, where container j must have some number of objects that occurs in the set 
Aj will be the coefficient of z n in the OGF: 

(£«•)(£ 4- (!>•)■ 

\ieAi / \i£A 2 / \i£A k / 
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a function that we will use in the proof of Lemma 2.3. Notice that the j th factor is 
the OGF that represents the set Aj. There is a similar interpretation for EGFs and 
products of EGFs, in terms of probability rather than strict counting. See Section 3.2 
or Theorem 3.8 as an example. 

A less trivial example of a combinatorial class is the class O of n-cycles of S n , for 
all n > 0, with size function i(ir) — n if n £ S n . In other words, size n members of O 
comprise the subset of permutations of S„ where the permutation has exactly one orbit. 
For any n > there are n!/nor (n — 1) ! of these. Thus the OGF is z + z 2 + 2z 3 + 
6z 4 + 24z 5 + 120z 6 + ■ • ■ , and the EGF is z + z 2 /2 + z 3 /3 + z 4 /4 + z 5 /5 + z 6 /6 + ■■■. 
Thus the probability that a random permutation from S n has only one cycle is given by 
the coefficients of the z n terms in the EGF. Namely, (n — 1) — l/n. 

Often, the formal power series defining OGFs or EGFs converge to functions (in 
some neighborhood of 0). For example, the OGF for Z-° converges to 1/(1 — z), and 
its EGF converges to e z . The EGF for the combinatorial class O above also converges: 

z 2 z 3 z 4 z 5 z 6 ( 1 

z + ^r + ^- + -r + -r + -r^ = log 



23456 VI- 

as can be verified by term-by-term integration of the power series for The exis- 
tence of such functions will facilitate multiplications and compositions. 



1.2 Notation 

The somewhat unusual notation of exp(C) where C is a series, means precisely substi- 
tuting the entire series C for z into the Taylor expansion for e z = J2 i>0 z l /i\, similar 
to matrix exponentiation. 

It is well-known that any permutation may be written uniquely as a product of dis- 
joint cycles, up to reordering of the cycles and cyclic reordering within each cycle; in- 
deed, for any given permutation n consisting of k disjoint cycles, having cycle lengths 
c\, C2, C3, . . . , Cfe, there are exactly k\c\C2C3 ■ ■ -Ck ways to reorder to obtain an equiv- 
alent expression for n. Any counts we make of symmetric group elements must take 
this fact into account. Note, we use the convention that if tt has a fixed-point, a, then 
the 1-cycle (a) is part of the expression for -k as disjoint cycles. In particular, the iden- 
tity of S n is written (1)(2)(3) ■ • • (n). We use the term cycle-count for the number of 
disjoint cycles (including all 1-cycles) in the expression of a permutation. It shall be 
convenient to include in our analysis the unique permutation of no letters, which has 
by convention cycle-count 0. We may view this element as the sole member of Sq. 



2 Strong and Weak Cycle Structure Theorems 

Let A be a subset of the positive integers. We consider the class of permutations that 
consist entirely of disjoint cycles of lengths in A, and denote this by •p( A Z " ). Further- 
more, if B C Z-°, we may consider the subclass ■p( j4 - B ) C p( A ' z ~ ) consisting of only 
those permutations whose cycle count is found in B. That is, any permutation of cycle 
count not in B, or containing a cycle length not in A, are prohibited. 
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The following theorems were first proven (presumably) long ago but can be found 
in [12] and also [15], and it is commonly noted that the technique in general was used 
by Laplace in the late 18th century. The nomenclature is however, ours. 

Theorem 2.1. The Strong Cycle Structure Theorem: 

The combinatorial class V^ A,B ^ has associated EGF, vi A,B \z) = (3{a{z)), where 

~i 

(3(z) is the EGF associated to B and a(z) = — . 

■ a i 

However, we only need a weaker form in all but one case in this paper: 

Theorem 2.2. The Weak Cycle Structure Theorem: 

The combinatorial class r p tyA ~' L ~ ' has associated EGF, J>j, A ' Z '{z) = exp(a(z)), 

where a(z) is as above: a(z) = — 



This is clearly a special case of the Strong Cycle Structure Theorem with (3(z) = 
l + z + z 2 /2\ + z 3 /3\ + z 4 /4\ + ■ ■ ■ = e z (the EGF of Z^°). Interestingly, if A = Z+ 

then a(z) = z + z 2 /2 + z 3 /3 + z 4 /4 + z 5 /5 + • • • = log frrj)> which provides a 

verification of the theorem in this special case: 

exp (log (j—^j ) = = 1 + ^ + + z 3 + z 4 + • • • , 

which is the EGF for the combinatorial class V of all permutations (together with the 
unique permutation on letters), as expected. 

Since the proof of the strong version is not fundamentally more difficult than the 
weak version, we shall provide a proof of Theorem 2.1. While this has been proven 
already in [12], we feel that a more expository proof is appropriate in this context. 
First, a lemma which proves the case B = {k}. 

Lemma 2.3. The combinatorial class p( A 'W> has associated EGF, 




Proof. Let A C Z + . For a given cycle-count, k, we must only include cycles of lengths 
found in A. Begin with an OGF If tt € S n has k cycles, then its cycle structure 
defines a partition of n identical objects into k containers, where each container cannot 
have any number of objects that does not occur as a member of A. The OGF that 

■\ k 

generates this is (J2ieA z ) > as stated in Section 1.1. Now, we must remember that 
those objects in the containers are not identical! Think of each cycle-structure as being 
a template onto which we attach the labels l,2,3,4,...,nin some order. A priori, 
this provides a factor of n\ for each partition of n, and so the coefficient of z n in 
the above OGF should be multiplied by n\. The best way to accomplish this is to 
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simply consider our OGF as an EGF: In our OGF, if C„ is the coefficient of z n , then 
as EGF, n\C n is the coefficient of z n /n\. Now, for each disjoint cycle of length i, 
there are i ways of cyclically permuting the labels, each giving rise to an equivalent 
representaion of the same i-cycle. Thus, we have over-counted unless we divide each 
term z % by i. Finally, each rearrangement of the k cycles among themselves gives rise 
to an equivalent expression for the permuation, so we must divide by fc!, and our EGF 
for permutations of cycle-count k with cycle-lengths in A now has the required form, 

^ w) (*) = TlrG^A*70*- 

The proof of Theorem 2.1 then follows easily: 

Proof. Let A C Z + ,B C Z-°. Categorize all permutations in V by cycle-count. Only 
permutations with cycle-counts k e B will contribute to our total, so by Lemma 2.3, 

keB fees \ieA / fees 

since J2keB zk /k\ is the EGF associated to B. The Weak Cycle Structure Theorem 
then follows as an immediate corollary. □ 

2.1 Probabilities 

In cryptography and other disciplines, we are often concerned with determining whe- 
ther or not a random permutation has some given property <j>. We can calculate then 
the OGF of the combinatorial class T of permutations with that property, and divide 
term-wise with the same term from the OGF of V, the combinatorial class of all per- 
mutations. But this is the same as the coefficients of the EGF of T. 

This works for any specific size, but first, it might be difficult to calculate, and 
second we might want to know the limit of this probability as the size goes to infinity. 

Theorem 2.4. Let T dV 'be the combinatorial class of permutations with property <fi. 
Suppose further T has EGF equal to f(z). Then the limit (as n goes to infinity) of the 
probability that a random permutation of size n has property </> is given by 

p = lim (1 — z)f(z) 

z— >1~ 

provided that (1 — z)f(z) is continuous from the left at z = 1. 

Proof. Let the OGF of T be given by A Q + A 1 z + A 2 z 2 + A 3 z 3 + A A z A + A 5 z 5 H . 

Consider the following function 

f \ Ao ^ f A A-i\ i 

l<i<n V V ; 7 

which when evaluated at z = 1, the sum telescopes, 
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Thus g n ( 1 ) is the desired probability, for size n. 

The limit g(z) = lim^oo g n {z) = 4f + zU>i (tt _ (^Tyi) does not necessarily 
exist for all z, but when it does, we have 



lim ( —z' \ -z I V — 

\i=0 / \]=0 J 



°-Z j 



Thusp = lim„_ 00 5 n (l) = lim^oolim^i- g„(z) = lim s _ > i-(l - z)f(z). 

Note, we implicitly assumed that is continuous (from the left) near z — 1 in 
order to reverse the order of the limits in the last step, but this will be the case in all of 
our examples. □ 



2.2 Expected Values 

While OGFs and EGFs are very useful for the study of a one-parameter family of 
constants, Aq, A\, A%, A3, . . ., we often wish to work with a two-parameter family, 
{^s,t}s,t>o- This is accomplished using double generating functions. The double OGF, 
A(y, z) of a two-parameter family of constants, is defined to be the formal sum: 

oc oc 

A(y,z) = y £^A s , t y s z t , 

s=0 t=0 

and the EGF A e (y, z) is defined to be the formal sum: 

00 oc . 
s=0 i=0 [ - S ^ 1 )- 

For our purposes, we will be interested in a combinatorial class of permutations 
categorized not only by the order of the symmetric group S n in which the permutation 
lies, but also by the number of fixed points that the permutation possesses. 

Theorem 2.5. Let T C V be a combinatorial class of permutations with double EGF 
a(y,z), where the coefficient of y s z t /(s + t)\ is the number of permutations tt with 
property cj> s such that tt £ S s+ t- Then the limit (as n = s + t goes to infinity) of the 
expected value of s such that a random permutation of size n satisfies (j> s is given by: 

lim (1 — z)a y (z, z) 

z—>\~ 

provided (1 — z)a y (z, z) is convergent and continuous from the left at z — 1. 
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Proof. Let a(y,z) = J2s>oJ2t>oy Sztj ^s.t/(s + t)\. The coefficient of y s z* is the prob- 
ability that a random permutation of S s+t has property 4> s , by construction. Consider 
the partial derivative with respect to y: 

a y {y,z)=Y J Y.l^rky S ~ izt - 

s>0 i>0 1 ' ' 

The probabilities are now multiplied by the corresponding value of s. Now, letting 
y = z produces: 



/(*.*) = E £ i7T7v zS+t ^ = £ ( £ ; 



S + t ) ' — * \ — Ti 

s>0 t>0 v } ' n>0 \s+t=n 



z n -\ 



Thus, a a (z, z) is the OGF that computes the expected value of s such that a random 
permutation of size n satisfies <j) s (shifted by one degree). Using the same technique as 
in the proof of Thm 2.4, we find that 



lim (1 — z)a y (z, z 

z— *1~ 



)= ( E *-¥) 

\s+t=n / 



3 Corollaries 

Theorem 2.4 is exploited extensively in a paper by Marko R. Riedel dedicated to ran- 
dom permutation statistics, but in a different context (see [15]). 

Corollary 3.1. The probability that a random permutation (in the limit as the size 
grows to infinity) does not contain cycles of length k is given by e~ x l k ' . 

Proof. The set A of allowable cycle lengths is Z + — {k}, and so has EGF given by 
artificially removing the term for k from the EGF of O: 

z 2 z 3 z k ~ l „ z k+1 z k+2 ( 1 \ z k 

and thus by the Weak Cycle Structure Theorem, the combinatorial class in question has 
EGF equal to 

1 \ z k \ 1 



a{z) = exp [log \j— J " yj = — e ~ Zk/k 

Thus the probability of a random permutation (as the size tends toward infinity) not 
having any cycles of length k is given by lim 2 ^[- (1 — z)a(z) = e~'/ fc □ 



8 



Nicolas T. Courtois, Gregory V. Bard, and Shaun V. Ault 



Note: On the Precision of these estimations: This result means that p — > e~ £ when 
TV — > oo. What about when iV = 2 32 ? We can answer this question easily by observing 
that the Taylor expansion of the function a(z) is the EGF and therefore gives all the 
exact values of A n /n\. For example when fc = 4we computed the Taylor expansion of 
g(z) at order 201, where each coefficient is a computed as a ratio of two large integers. 
This takes less than a second with the computer algebra software Maple [14]. The 
results are surprisingly precise: the difference between the A200/2OO! and the limit is 
less than 2~ 321 . Thus convergence is very fast and even for very small permutations 
(on 200 elements). 

Returning to the proving of corollaries, let us define V A = p(z + -A,z- ) an( j g n( j j ts 
EGF. 

Lemma 3.2. The EGF ofV is given by exp (/(z)), where 

/(*) = E*V<= log (34-) 

Proof. Because V A = 'p( z+ ~ A ^-") we can use the Weak Cycle Structure Theorem. 
The EGF of the combinatorial class of cycles with size from the set Z + — A is given by 
that of O (the class of all cycles) with the "forbidden lengths" artificially set to zero, 
namely 

iG(Z+-A) 0<igA V / i6A 

The correct answer follows. □ 

Corollary 3.3. Let Abe a subset of the positive integers. The probability that a random 
permutation ( in the limit as the size grows to infinity) does not contain cycles of length 
in A is: 

ieA 

Proof. Using Lemma 3.2 we obtain an EGF of 

exp (log - £ zV*) = 7~II e " Z * A 

then multiplying by (1 — z) and taking the limit as z — > 1 gives the desired result. □ 

This offers confirmation of Corollary 3.1 when substituting A = {k}. A permutation 
with no fixed points is called a derangement. Using a similar strategy, we can calculate 
the probability of a derangement. 

Corollary 3.4. Let it be a permutation taken at random from S n . The probability that 
7T is a derangement is 1 /e in the limit as n — > 00. 



Proof. Just apply Corollary 3.3 to the case of cycle length 1. 



□ 
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Suppose we wish to consider if a permutation has exactly t cycles of length from a 
set C c Z + , in other words, all the other cycles are of length not found in C. In that 
case, we can consider such a permutation tt as a product of tta and ttb such that tta has 
only t cycles of length found in A, and nothing else, and ttb has only cycles of length 
not found in A. This is termed by Flajolet and Sedgewick as a "labelled product" 1 and 
and a discussion of that is found in Section II.2 in [12]. The EGF of a labelled product 
is merely the product of the EGFs. 

Theorem 3.5. Let tt be a permutation taken at random from S n . The probability that 
tt has c fixed points is 

Proof Consider tt = ttattb, where tta consists of exactly c fixed points, and ttb is 
a derangement of the remaining n — c points. We must compute the labelled product 

/0) = vi {l} ' {c}) ■ Vf + -{ 1 >' z " ). Thus, by the Strong and Weak Cycle Structure 
Theorems, 

= t\ exp ( log (rb) - z ) = jvhy e ~ z 

An application of Thm 2.4 provides the result: 

lim (1 - z)f(z) = lim ^e -1 = ~r 
z->i- ' z-»i- c! c'e 

□ 

3.1 On Cycles in Iterated Permutations 

Theorem 3.6. Let tt be a permutation in S n . A point x is a fixed point for ir k if and 
only if x is a member of a cycle of length i in it, for some positive integer i dividing k. 

Proof. Write tt in disjoint cycle notation, and then x appears in only one cycle (hence 
the name "disjoint.") Call this cycle ip. Since all other cycles do not contain x, then 
n m (x) = Tp m {x) for all integers m. Of course, tp is of order i in S n , thus ip l = id, the 
identity element of S n . 

If x is in a cycle of length i then that means that i is the smallest positive integer 
such that %p l (x) = x. Write k = qi + r with < r < i. Then 

x = ip k (x) = ip r (ip^(x)) = ^ r ({^) q {x)) = ip r (id q {x)) = i> r (id(x)) = ip r (x) 

so Tp r (x) = x but we said that i is the least positive integer such that ip % (x) = x and 
r < i. The only way this is possible is if r is not positive, i.e. it is zero. Thus k = qi or 
i divides k. 

There reverse assumes that i divides k so write iq = k then 

= ^i(x) = O*) 9 0) = {id) q {x) = id(x) = x 

□ 

'A labelled product can be thought of as follows. If the EGF of a(z) = b(z)c(z), where b and c are also 
EGFs, then a(z) = Xlfe=o (fe) ^k c n~k- Here, after building our combinatorial object in class a of size n out of 
'an object' from b of size k, and 'an object' from c of size n — k, we must then attach k of the n labels to the 
former, and attach the remaining n — k labels to the latter. There are precisely (™) = ( ™ fe ) ways to do that. 
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An Example Before we continue, observe what happens to a cycle of tt when evalu- 
ating tt 2 . First, if the cycle is of odd length, 



but if the cycle is of even length, 

(xi,X 2 , ■ ■ -,X 2c ) (xi,X 3 ,X 5 , . . . ,X 2c -l)(x2,X 4 ,X 6 ,X & , . . . , X 2c ) 

One can rephrase Theorem 3.6 as follows: 

Corollary 3.7. Let tt be a permutation from S n . Let k be a positive integer, and let the 
set of positive integer divisors ofk be D. Then the set of fixed points ofir k is precisely 
the set of points under tt in cycles of length found in D. 

3.2 Limited Cycle Counts 

Theorem 3.8. Let k be a positive integer, and tt a permutation from S„ . The expected 
number of fixed points of ir k is r(fc), taken in the limit as n — > oo. Note, r(k) is the 
number of positive integers dividing k. 

Proof. We shall construct a double EGF, a(y, z), where the coefficient of y s z t is the 
probability that the k th power of a random permutation of S s+t has s fixed points. Let 
tt be a permutation taken at random from S n - A point x is a fixed point under Tr k if 
and only if a; is a member of a cycle of order dividing k under tt, via Corollary 3.6. 
Thus TT k has exactly t fixed points if and only if tt = ttattb, where tta G St consists 
only of cycles of length dividing k, and ttb G S n -t consists only of cycles of length 
not dividing k. Let Dh be the set of all positive divisors of k. The double EGF that 
counts the number of such permutations ttattb will be given by the labelled product 



v {D k> i>") ( y y v (z + D k ,z >0 ) By the Weak Cycle Stmcture Theorem and Lemma 3.2, 



{x u x 2 , . . .,X 2c+ i) i-> (x u x 3 ,x 5 , . . . ,x 2c+u x 2 ,x 4 ,x b , . . .,x 2c ) 



we obtain: 






Theorem 2.5 provides the correct expected value. First observe that 
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The plaintext is Pq, . . . , P31 and the ciphertext is Co, . . . , C31. The internal 
state after round i is given by L 0+i , L l+i , L 2+ i, . . . ,L 3l+i . 

U = P t Vie [0,31] 

Li = fc i _ 32 mo( j 64 + Lj-32 + Li-id Vi G [32, 559] 

+NLF(Li-i, Li-e, Li- 12, Li-23, Li-30) 

Ci = L.-ms Vz e [528, 559] 

where NLF stands for "non-linear function", and is given by 

NLF(a, b, c, d, e) = d+e + ac + ae + bc + be + cd+de + ade + ace + abd+abc 



Figure 1. The Specification of Keeloq 

Then a y (z, z) = j^exp(0) J2i\k z% ~ 1 - Finally, 

lim (1 - z)a y (z, z) = lim z l ~ l — 1 = r(Jfe). 

□ 

4 Application to Keeloq 
4.1 What is Keeloq? 

Keeloq is a block cipher, with 32-bit plaintext and ciphertext blocks and a 64-bit key. 
It has been used in the remote keyless entry systems of many manufacturers of au- 
tomobiles, and several papers have been written about it [5] [6] [7] [8] [10] [11] [3, 
Ch. 2], [9]. It has 528 rounds, which is unusually high, and this can be written 
528 = 8 x 64 + 16, a decomposition whose utility will be apparent shortly. Each round 
is like a stream cipher, in the sense that the internal state is a 32-bit register, and is 
shifted one bit, and a new bit is introduced. The new bit is a function of certain bits 
of the internal state, and a single bit of the key, via a map described by a cubic poly- 
nomial over GF(2), see for example [2] [3, Ch. 2]. The initial value of the internal 
state is the plaintext, and the final value is the ciphertext. For completeness, the cipher 
specification is given in Figure 1 . 

Also, because each round only uses 1 bit of the key (and they are used in sequence), 
then after 64 rounds, the entire key has been used. Therefore, it makes sense to define 
fk, a function which represents those 64 rounds. Each additional 64 rounds behaves 
identically. It turns out that fa is a permutation. The remaining 16 rounds are written 
as <7fc, which is also a permutation. Of course if either fa or g& were not permutations, 
then the block cipher would not be uniquely decodable. 
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Thus we can write gk(fj. (p)) = Ek(p) and this motivated the authors' initial inter- 
est in iterated permutations. Also it is noteworthy that only 16 bits of the key are used 
by <7fc, thus only 16 bits of the key need be known or guessed to use g^ 1 to "peel off" 

or "undo" these 16 rounds, leaving us with /^ 8 ', the eighth iterate of a permutation. 



4.2 Bard's Dissertation Attack 

This attack assumes some portion of the code-book is available. So long as two fixed 
points are found, the attack can succeed. One can show that if there are two plaintexts 
that are fixed on the first 64 rounds of the encryption, i.e. f{p\) = p\ and f(jp2) = pi, 
then this is sufficient information to perform an algebraic cryptanalysis, see [3, Ch. 2] 
[2, Ch. 3]. One writes polynomials for those two equalities and uses SAT-solvers to 
solve them, see [4] [2, Ch. 6]. 

The question becomes how to obtain those pairs. First, the part of the key used in gu, 
which is 16 bits in length, is simply guessed. This has success probability 2~ 16 . Then 
g^ 1 can be used. This allows for (p, c), the plaintext-ciphertext pairs in the codebook to 

be replaced by (p, g^ (c)) which are now actually (p, fj, (p)). These are points fixed 

(8) 

by and so by Corollary 3.6, they are points of order {1,2,4,8} for fk- Thus, the 
fixed points of fk, which are useable for the cryptanalysis, are a subset of those for 

(8) 

f k , which we can find. 

Theorem 4.1. Let n be a random permutation from S n . The probability that tt has c\ 
fixed points and C2 cycles of lengths 2, 4, or 8, is given by 



1 (1 



C\\ol\ 



e -i5/8 



Proof. Note that the set of permutations on n elements, with c\ fixed points, and c 2 
cycles of length 2, 4, or 8, can be thought of as a triple labelled product. The first item 
in the product is from piW' 01 ', the second item from pd 2 ^^^) , and the third item 
from "pi 12 ' 4 8 }. We must now calculate the EGF. 

The first item has a(z) = z, and f3{z) = z c ' /c\\, for an EGF of (3(a(z)) = z Ci /c\ !. 
The second item has a(z) = z 2 /2 + z 4 /4 + z 8 /8, and @(z) = z Cl /c2\, therefore an 
EGF of (3{a{z)) = i [z 2 /2 + z 4 /4 + z 8 /8] Cl . Finally, the third item has EGF given 
by Lemma 3.2, 

exp ^io g {^y— z - £ j = Y~ z exv (~ ^ zl/l 



giving a final, total EGF of 
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77 10% 20% 30% 40% 50% 

Success 0.47% 1.75% 3.69% 6.16% 9.02% 

77 60% 70% 80% 90% 100% 

Success 12.19% 15.58% 19.12% 22.75% 26.42% 

Table 1. Success Probabilities of Bard's Dissertation Attack 
Multiplying by 1 — z and taking the limit as z — > 1 _ , via Theorem 2.4 we obtain 



ci!c 2 ! 



1 1 1 

2 + 4 + 8 



e^(-a(8)/8) = -—(7/8)^-^ 



ci!c 2 ! 



The method requires c\ > 2, otherwise the attack fails. This can be easily calculated 
as 1 — Pr{ci = 0} — Prjci — 1} « 0.2642 probability of success. 

Second, suppose that r) is the fraction of the code-book available. Then any given 
fixed point is found with probability 77 in the known part of the code-book, and so at 
least two will be found with probability 

1 - ( C1 ) - vr - (Yy a - '?) ci - 1 = 1 - (i - vr- 1 [i - (ci + m 

and so the following 77 and success probabilities can be found, generated by Theo- 
rem 3.5 and listed in Table 4.2. Note, these are absolute probabilities, not probabilities 
given c\ > 2. 

Using Maple, one can also calculate exactly when the probability of having the two 
fixed points in the 77 fraction of the code-book is one-half. This is at 77 = 63.2% 
remarkably close to the empirical calculation in [3, Ch. 2]. 

Note that while finding two fixed points of fk is enough to break the cipher, using 
SAT-solvers as noted above, the fixed points of are still an annoyance. Our post- 
processed code-book will have all the fixed points of in it, and at worst we must 
try all pairs. 

If 7r has c\ fixed points, and c 2 cycles of length 2, 4, or 8, then tt 8 has at most c\ + 8c 2 
fixed points, as each cycle of length 2 produces 2, of length 4 produces 4, and of length 
8 produces 8. Thus of the c 2 cycles of length 2, or 4, or 8, at most 8c 2 fixed points 
are produced. This means in the code-book we have at most cj + 8c 2 fixed points, or 
{c\ + 8c 2 )(ci + 8c 2 — l)/2 pairs of them. At absolute worst, we have to check all of 
them. The expected value of the number of pairs, given c\ > 2 can be calculated with 
Maple, and is 113/2 — 105/e ps 17.87. As each pair takes less than a minute, this is 
not the rate-determining step. 

The post-processing of the code-book will take much more time, rj2 32 Keeloq en- 
cryptions, but this is still much smaller than brute-forcing the 2 64 keys. 
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4.3 The Courtois-Bard- Wagner Attack 

Again, in this attack (first published in [11]), we will iterate over some portion of the 
code-book. One property of the cipher Keeloq, is that only one bit is changed per 
round. Thus the last sixteen rounds, represented by gk{x), only affect sixteen bits 

of the ciphertext. Thus, if a; is a fixed point of f k ', then 48 out of the 64 bits will 
match, compared between the plaintext and the ciphertext. One can easily scan for this 
property. 

This matching property will always occur for a fixed point of f k ' , but it happens by 
coincidence with probability 2~ 16 . Therefore, the number of code-book entries with 
this property will be the number of fixed points of f k \ plus an expected 2~ 16 2 32 = 2 16 
"red herrings". What is remarkable, is that [11] contains a formula for the 16 key bits 
that would cause the effect if it were because the plaintext were a fixed point (i.e. not 
a coincidence). Therefore, each code-book entry with the matching property can be 
tagged with a 16-bit potential sub-key. 

As it turns out, the 16-sub key, as well as any single plaintext-ciphertext pair that is 
a fixed point of fk, not merely of , is enough to mount an algebraic attack. Thus we 
have the following steps. Let 03 denote the number of fixed points of /' 8 \ 

(1) Check all 2 32 code-book entries for the matching property. 

(2) Of these (roughly 2 16 + cj) plaintext-ciphertext pairs, compute the sub-key that 
they imply. 

(3) For each plaintext-ciphertext pair with the property, set up an algebraic cryptanal- 
ysis problem with the one pair, assuming it is a fixed point of /, and assuming the 
sub-key is correct. 

(4) If an answer is obtained, verify assumptions. If assumptions turned out to be false, 
or if the problem is "unsatisfiable", go to Step 3. 

Sorting upon this sub-key between Step 2 and Step 3 would reveal which are the 

(s) 

likely pairs, as the same sub-key will tag all the fixed points of fk and f k '. We expect 
each of the 2 16 "red-herrings" to be tagged with uniformly randomly distributed poten- 
tial sub-keys. Therefore, in the first very few Step 3 and Step 4 executions, we would 
obtain the key. 

What is needed for success? First, that fk have at least one genuine fixed point. This 
occurs with probability 1 — 1/e, as proven in Corollary 3.4, and is roughly 0.6321. 
Second, the expected amount of work in Step 1 is at most 2 32 Keeloq Encryptions, and 
a more precise estimate is found in [11]. Third, Step 2 is negligible. Fourth, for Step 3 
and Step 4, we must execute these stages for each potential sub-key. Given the model 
of the previous attack, and using Theorem 4.1, we can obtain a bound on the expected 
number of repetitions of Steps 3 and 4. This is upper-bounded by the expected value 
of ci + 8c 2 given that c\ > 0. Using Maple, this comes to 113/2 - 46/e ps 39.58, 
the difference being that we now allow c\ = 1, which was previously forbidden. Of 
course, without the sorting explained in the previous paragraph, the expected number 
of Step 3 and Step 4 executions would be around 2 15 . 
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5 Highly Iterated Ciphers 

Here we present two attacks, which while no where near practical feasibility, present 
surprising results that the authors did not anticipate. 

Suppose there were three naive cryptography students, who choose to use 3-DES 
iterated 2 approximately one million times, because they are told that this will slow 
down a brute force attacker by a factor of one million. Alice will choose 1,000,000 
iterations, Bob will choose 1,081,079 iterations and Charlie will choose 1,081,080 it- 
erations. Intuitively, one would not expect these three choices to have significantly 
different security consequences. 

However, assuming that the 3-DES cipher for a random key behaves like a randomly 
chosen permutation from S 2 m, these permutations will have 



fixed points which allows for the following distinguisher attack. It is noteworthy that 
Charlie's number is the lowest positive integer x to have t(x) = 256, while Bob's 
number (only one less) is prime, and thus has t{x — 1) = 2. This enables the dramatic 
difference in vulnerability to the attack. 

In a distinguishing attack, the attacker is presented either with a cipher, or with a 
random permutation from the set of those with the correct domain. Randomly iterate 
through 1/64 of the plain-space. If a fixed point is found, guess that one is being given 
a user cipher. If no fixed point is found, guess random. 

In the case of Alice's implementation, there will be an expected value of w 0.766 
fixed points. In the case of Bob's, 1 /32 expected fixed points. In the case of Char- 
lie's, 4 expected fixed points. A random permutation would have 1/64 expected fixed 
points. Thus, we can see that Charlie's would be easily distinguishable from a random 
permutation, but Bob's much less so. Against Alice, the attack could definitely still be 
mounted but with an intermediate probability of success. To make this notion precise, 
we require the probability distribution of the number of fixed points of ir k . In fact, one 
can prove the following 

Theorem 5.1. Let tt G S n be a permutation chosen at random, then the c th term of the 
following EGF 



is the probability that n k has exactly c fixed points. 

Proof. Consider the double EGF of Theorem 3.8, a(y,z) = jz^exp(J2^ k - ~ z ). 

Recall, the coefficient of y s z l is the probability that 7r fc e S s +t has s fixed points. 
Now, for any given s, we can find the probability that Tr k e S n has ,s fixed points (in 
the limit as n — > oo), by evaluating lim 2 ^i-(l — z)a(y,z). The result is the EGF 



r(l,000,000) =49 



r(l,081,079) =2 



r(l,081,080) =256 




□ 



2 Since the brute force attack is the optimal attack known at this time, it is perhaps not completely unreason- 
able. The classic UNIX implementations encrypt with a variant of DES 25 times, for example [13, Ch. 8]. 
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However, the above requires us to have 256 terms inside of the exponentiation, for 
there are 256 positive integers dividing 1,081,080, and we will need to know the co- 
efficient of the c th term for at least 1000 terms. Therefore, we are compelled to leave 
this as a challenge for the computer algebra community. 

Meanwhile, we performed the following experiment. We generated 10,000 random 
permutations n from 5io,ooo an d raised it to the fcth power for the values of k listed. 
Then we calculated c, the number of fixed points of ir k , and determined if a search of 
the first l/64th of the domain would reveal no fixed points. That probability is given by 

(1 - c/n) n/M « e- c ' M 

and taking the arithmetic mean over all experiments, one obtains 
No fixed points One or more 
k = 1 0.985041 0.014959 Random 

k = 1000000 0.797284 0.202716 Alice 

k = 1081079 0.984409 0.015591 Bob 

k = 1081080 0.418335 0.581665 Charlie 

Perhaps this is unsurprising, as in the case of Charlie, we expect 256 fixed points, 
and so it would be surprising if all of those were missing from a part of the domain 
equal to l/64th of the total domain in size. On the other hand, for Bob we expect only 
2 fixed points, and it is exceptional that we find one by accident. 

Finally, we observe that if there is an equal probability of an adversary being pre- 
sented with a random cipher from S 2 6* or 3-DES in the key of one of our three users, 
iterated to their exponent, then the success probability of the attacker would be for Al- 
ice 59.39%, for Bob 50.03%, and for Charlie 78.34%. Note in each case, we check 
only 2 64 /64 — 2 58 plaintexts, and so this attack is 2 112 /2 58 = 2 54 times faster than 
brute-force. 



A General Maxim: If a permutation must be iterated for some reason, then it should 
be iterated a prime number of times, to avoid fixed points. 

5.1 A Key Recovery Attack 

Consider the cipher given by 

F kuk2 (p)=E kl (E<£>(E kl (p)))=c 

where k\ and k 2 are keys, and E is encryption with a block cipher (let (c) = p denote 
decryption). If E is DES and n — 1, then this is the "triple DES" construction. Here, 
we consider that E is AES-256 as an example, and n is Charlie's number, 1081080. 
Then F is a block cipher with 512-bit key and 128-bit plaintext block. We will refer to 
k\ as the outer key, and k 2 as the inner key. 

Suppose an attacker had an oracle for F that correctly encrypts with the correct 
k\ and k% that the target is using. Call this oracle 4>{p). Observe that G ki (x) = 
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Dk 3 (c/>(Dk 3 (x))) will have Gk 3 {x) = E k "\x) if and only if fc 3 = ki. Thus if we 
can correctly guess the outer key, we have an oracle for the nth iteration of encryption 
under the inner key. Iffc 3 7^ fei, then provided that is computationally indistinguish- 
able from a random permutation from S?ya when k\ is chosen uniformly at random (a 
standard assumption) then Gk 3 (x) also behaves as a random permutation. 

Thus, for k\ = fc 3 , we can expect Gk 3 {x) to behave like Charlie's cipher in the 
previous section, and for k\ 7^ fc 3 , we can expect Gk 3 (x) to behave like a random 
permutation in the previous section. 

Let one run of the distinguishing attack signify guessing all possible fc 3 values, and 
executing the previous section's attack for each key. If "random" is indicated (i.e. no 
fixed point found), then we reject the fc 3 but if "real" is indicated (i.e. at least one fixed 
point found), then we add fc 3 to a "candidate list." 

After one run of this distinguishing attack, we would have a candidate list of outer 
keys of expected size 

(0.014959) (2 256 - 1) + (0.581665)(1) 

where the success probabilities are given in the previous section, for the attack on 
Charlie. 

If we repeat the distinguisher attack on these candidate keys, taking care to use a 
distinct set of plaintexts in our search, the success probabilities will be the same. This 
non-overlapping property of the plaintext search could be enforced by selecting the six 
highest-order bits of the plaintext to be the value of n. After n runs, we would expect 
the list to contain 

(0.014959)" (2 256 - 1) + (0.581665)"(1) 

candidate keys. 

Of course, the true fc 3 — k\ key will be present with probability 0.581665". Next, for 
each key k c on the candidate list, we will check all possible 2 256 values of k 2 (denoted 
k x ), via checking if 

p = <P(D kc (D^(D kc (p)))) 

which will be true if k x — k 2 and k c — k\. This check should be made for roughly 
4-6 plaintexts, to ensure that the match is not a coincidence. This necessity arises 
from the fact that the cipher has a 512-bit key and 128 -bit plaintext. We will be very 
conservative, and select 6. 

The number of encryptions required for the n runs is 

9128 

(1081080 + 4)(— )(2 256 + (0.014959) (2 256 ) + (0.014959) 2 (2 256 ) + 
64 



(0.014959) 3 (2 256 ) + • • • + (0.014959)"(2 256 )) 
= (1081080 + 2) (2 378 ) 



^ 1 - (0.014959)"+' 
1 - 0.014959 
2 398 06579 -(l-0.014959" +1 ) 
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and for the second stage 

(6)(2)(2+ 1081080) (2 256 ) (0.014959") (2 256 ) = (2 



535.6290- •• 



-)(0.014959 n ) 



= 2 : 



535.6290-6.062842n 



for a success probability of (0.581665)". 

Using Maple, we find that n = 23 is optimal, leaving a candidate list of 2 116 - 555 " 
possible keys, and requiring 2 398 41207 " encryptions, but with success probability 
(0.581665) 23 « 2" 17 - 98001 -. A brute-force search of the 2 512 possible keys would 
have (6)(2)(1081082)2 512 encryptions to perform, or 2 535 629007 ". Naturally, if a suc- 
cess probability of 2 -17 - 98001 "' were desired, then only 2 517 - 649 " encryptions would be 
needed for that brute-force search. 

Therefore this attack is 2 119 237 times faster than brute-force search. 

6 Conclusions 

In this paper, we presented a known theorem on the probabilities of random permuta- 
tions having given cycle structures and cycle counts, along with several useful corol- 
laries. To demonstrate the applicability of this technique to cryptanalysis, we have 
taken two attacks which were heretofore presented at least partially heuristically, and 
made them fully rigorous. It is hoped that other attacks which rely upon detecting 
these probabilities via experimentation will be made rigorous as well, by calculation 
via EGFs and OGFs. We also hope that we have demonstrated the utility of analytic 
combinatorics in general, as well as EGFs and OGFs in particular. 

We also presented a new attack, on very highly iterated permutations. While the sce- 
nario is not reasonable, and it is only a distinguisher attack, it is also interesting that the 
t function occurs here. If a permutation should be highly iterated, it should be iterated 
a prime number of times. However, the choice of 25 on the part of UNIX designers was 
not bad, as r(25) = 3. We also extended this to a key -recovery attack, in an unusual 
context. It is unclear in what situations such large numbers of iterations would occur, 
but from a pure mathematical point of view, the additional security granted by prime 
iteration counts is interesting. 
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A Of Pure Mathematical Interest 

The authors encountered the following interesting connections with some concepts in 
number theory, but they turned out to be not needed in the body of the paper. We 
present them here for purely scholarly interest. 
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A.l The Sigma Divisor Function 

Lemma A.l. The sum Y^m 1 A = i <7 (' c ) w ^ iere both i and k are positive integers, and 
where a(k) is the divisor function (i.e. the sum of the positive integers which divide k). 

Proof. 

i/i = £Ei/i = iE*/i=£E* = i-(*) 



E 

' i ^ 



Corollary A.2. Let ir be a permutation taken at random from S n . The probability that 
TT k is a derangement is e~ <T ' fe '/ fc , in the limit as n — > oo. 

Proof. Let D be the set of positive integers dividing k. From Corollary 3.7, we know 
that £ is a fixed point of Tr k if and only if £ is in a cycle of length found in D for it. 
We will use Corollary 3.2, with A — D. We obtain the probability is e~ 
and Lemma A. 1 gives the desired result. □ 

Note that substituting A = {1} into the above yields the same result as Corollary 3.4. 
A.2 Apery's Constant 

Corollary 3.3 provides an amusing connection with Riemann's zeta function. Recall, 
for complex s, the infinite series, Y^ n >i 1 /n s defines the "zeta function" C( s )> provided 
the series converges. 

Corollary A.3. The probability that a random permutation (in the limit as the size 
grows to infinity) does not contain cycles of square length is: 

£-£,>, iA 2 = e -C(2) = e -V/6 ~ 0.19302529, 

or roughly 1/5. 

Corollary A.4. The probability that a random permutation (in the limit as the size 
grows to infinity) does not contain cycles of cube length is: e~^' 3 ' ~ 0.30057532 

Note, C(3) is known as Apery's Constant [1], and occurs in certain quantum electro- 
dynamical calculations, but is better known to mathematicians as being the probability 
that any three integers chosen at random will have no common factor dividing them all 
[16]. ' 
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